Package alpine.server.auth

Class PasswordService

java.lang.Object
alpine.server.auth.PasswordService
public final class PasswordService extends Object
Alpine PasswordService that provides a secure method of hashing and validating user passwords. Internally, PasswordService uses a combination of SHA-512 and BCrypt for these functions. The password goes through the following flow during the hashing process: Password » SHA-512 » BCrypt (per-user salt, default rounds: 14) In this flow, a user password is hashed using SHA-512 which creates a 128 character HEX representation of a hash. This is called the prehash. The prehash acts to both 'extend' the password and to introduce built-in denial-of-service protection from exceptionally long passwords. Once the password is prehashed, it's sent to BCrypt where a per-user salt is used and the password is properly hashed. Both the creation and verification of hashes go through this process. Additionally, this class contains a method which will determine if a password should be rehashed due to an increase in rounds defined on the server.
Since:
1.0.0
Author:
Steve Springett

  • Method Summary

    Modifier and Type
    Method
    Description
    static char[]
    createHash(char[] password)
    Given a password to hash, this method will first prehash the password using SHA-512 thus creating a 128 character HEX representation of the password, which is then sent to BCrypt where a unique salt is generated and the prehashed password is properly hashed using the configured BCrypt work factor (determined by Config.AlpineKey.BCRYPT_ROUNDS.
    static char[]
    createHash(char[] password, char[] salt)
    Given a password to hash, this method will first prehash the password using SHA-512 thus creating a 128 character HEX representation of the password, which is then sent to BCrypt where the prehashed password is properly hashed using the specified salt and uses the configured BCrypt work factor (determined by Config.AlpineKey.BCRYPT_ROUNDS.
    static boolean
    matches(char[] assertedPassword, ManagedUser user)
    Checks the validity of the asserted password against a ManagedUsers actual hashed password.
    static boolean
    shouldRehash(char[] bcryptHash)
    Checks the asserted BCrypt formatted hashed password and determines if the password should be rehashed or not.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Method Details

    • createHash

      public static char[] createHash(char[] password)
      Given a password to hash, this method will first prehash the password using SHA-512 thus creating a 128 character HEX representation of the password, which is then sent to BCrypt where a unique salt is generated and the prehashed password is properly hashed using the configured BCrypt work factor (determined by Config.AlpineKey.BCRYPT_ROUNDS.
      Parameters:
      password - the password to hash
      Returns:
      a hashed password
      Since:
      1.0.0

    • createHash

      public static char[] createHash(char[] password, char[] salt)
      Given a password to hash, this method will first prehash the password using SHA-512 thus creating a 128 character HEX representation of the password, which is then sent to BCrypt where the prehashed password is properly hashed using the specified salt and uses the configured BCrypt work factor (determined by Config.AlpineKey.BCRYPT_ROUNDS.
      Parameters:
      password - the password to hash
      salt - the salt to use when hashing this password
      Returns:
      a hashed password
      Since:
      1.0.0

    • matches

      public static boolean matches(char[] assertedPassword, ManagedUser user)
      Checks the validity of the asserted password against a ManagedUsers actual hashed password.
      Parameters:
      assertedPassword - the clear text password to check
      user - The ManagedUser to check the password of
      Returns:
      true if assertedPassword matches the expected password of the ManangedUser, false if not
      Since:
      1.0.0

    • shouldRehash

      public static boolean shouldRehash(char[] bcryptHash)
      Checks the asserted BCrypt formatted hashed password and determines if the password should be rehashed or not. If the BCrypt work factor is increased (from 12 to 14 for example), passwords should be evaluated and if the existing stored hash uses a work factor less than what is configured, then the bcryptHash should be rehashed. The same does not apply in reverse. Stored hashed passwords with a work factor greater than the configured work factor will return false, meaning they should not be rehashed. If the bcryptHash length is less than the minimum length of a BCrypt hash, this method will return true.
      Parameters:
      bcryptHash - the hashed BCrypt to check
      Returns:
      true if the password should be rehashed, false if not
      Since:
      1.0.0